[Snort-users] Snort syslog message format
erek at ...950...
Wed Jan 8 08:45:03 EST 2003
On Tue, 7 Jan 2003, Douglas Corner wrote:
> Is there documentation describing what is posted to syslog? There seem to
> be several message formats, one for when rules fire and different formats
> for pre-processors. I am doing some programming to process Snort syslog
> messages and would like to be precise and complete.
Well, there only real docs on that is the source.
And yes, there are 'different formats'. Many moons ago there was no real
format for the output from plugins. That's starting to become more and
Keep in mind the basic format is the same: [xx:yyy:zz] <message>
Where xx is the Generator ID (GID), yyy is the Snort ID (SID), and zz is
the Revision of the SID.
Hope that helps!
"When things get wierd, the wierd turn pro." H.S. Thompson
More information about the Snort-users